From 02265ba224ec086cb91afdbf50d2d400731e7e9e Mon Sep 17 00:00:00 2001
From: izzy <me@insrt.uk>
Date: Wed, 3 Dec 2025 12:13:52 +0000
Subject: [PATCH] chore: validate filename for deletion

---
 server/src/services/database-backup.service.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/src/services/database-backup.service.ts b/server/src/services/database-backup.service.ts
index 6333dbba12..02c1bda93f 100644
--- a/server/src/services/database-backup.service.ts
+++ b/server/src/services/database-backup.service.ts
@@ -16,6 +16,10 @@ export class DatabaseBackupService extends BaseService {
   }
 
   async deleteBackup(files: string[]): Promise<void> {
+    if (files.some((filename) => !isValidBackupName(filename))) {
+      throw new BadRequestException('Invalid backup name!');
+    }
+
     await Promise.all(files.map((filename) => deleteBackup(this.backupRepos, basename(filename))));
   }